ADFS authentication customization

Active Directory Federation Services (ADFS) offers the possibility of a lot of customization. Because it’s C# based and running on IIS, you can do basically everything. However, most people want to add a two factor authentication or customizing the looks and feel. In this article we will first implement an additional shared password for all users, and then show how you can extend this functionallity to implement two factor authentication mechanism.

When doing these customizations, you will need to use forms authentication. This means I assume that you know how to configure this (your ADFS proxy server(s) are already configured like this). The files we will be modifying is FormsSignIn.aspx and FormsSignIn.aspx.cs.

The first thing you would want, is to add the following to your FormsSignIn.aspx file. This just adds the PIN text box, nothing else.

After modifying the file, your login page should look something like the following.

When you hit enter og the Sign In-button, the method SubmitButton_Click defined in FormsSignIn.aspx.cs is called. By default, this just involves calling SignIn( UsernameTextBox.Text, PasswordTextBox.Text ) and catching an exception if the authentication fails, but we want more. Continue on editing FormsSignIn.aspx.cs, replacing SubmitButton_Click with the following modified version.

After changing this, the PIN for all users must be 12345, or they will not be able to log on. Now this does not seem to handy, i understand, but at this point you can instead of checking whether the PIN is 12345, check against a database, a web service, a radius service or other One-Time Password services. Just put whatever you need in the VerifyPIN function. I’ll make an article on it some day.